On 22/02/12 10:44, Simon McVittie wrote:
> I request an adopter for the tremulous package.
...
> there may be more undiscovered vulnerabilities, since it's basically a very
> old fork of ioquake3.
(There was indeed a reflected DoS.)
> Note that Tremulous has not had an official upstream release since 2006.
> The upstream website publicizes both 1.1.0 (the 2006 version we have)
> and "GPP1" (Gameplay Preview 1), essentially a beta version of Tremulous 1.2,
> which might in fact be more popular than 1.1.0 by this point, and is what
> is shipped in Fedora.
Also note that GPP1 was in 2009 and there has been no "official" release
since then. (Perhaps a sufficiently dedicated maintainer would find
something resembling a release by trawling through the forums, but I'm
not going to do that.)
Given Tremulous' history of security vulnerabilities and apparent lack
of upstream interest in point releases, I don't think Tremulous should
be in wheezy without an active maintainer. If nobody has adopted it
within a month I will ask for it to be removed.
S